2. Configuring the SGD Gateway
A. SGD Gateway Architecture Overview
Changing the Maximum Number of AIP Connections
Calculating the Number of AIP Connections
Changing the Maximum Number of HTTP Connections
Calculating the JVM Memory Size
Changing the Binding Port for the SGD Gateway
Using Unencrypted Connections to the SGD Array
Using External SSL Accelerators
How to Enable External SSL Accelerator Support
Using Client Certificates With the SGD Gateway
How to Configure the SGD Gateway to Use Client Certificates
Enabling the Balancer Manager Application
Enabling the Reflection Service
The certificate and private key for the reflection service are stored in the reflection service keystore, at /opt/SUNWsgdg/proxy/etc/keystore.reflection. This keystore is created automatically during installation of the SGD Gateway.
By default, the reflection service keystore contains a single, self-signed certificate and key pair.
# /opt/SUNWsgdg/java/default/bin/keytool -exportcert \ -alias server-name -rfc \ -keystore /opt/SUNWsgdg/proxy/etc/keystore.reflection \ -storepass "$(cat /opt/SUNWsgdg/etc/password)" \ -file client.pem
where server-name is the alias used for the reflection service certificate in the reflection keystore and client.pem is the file name of the exported certificate.
Use the KeyManager application included with the SGD Gateway.
# /opt/SUNWsgdg/java/default/bin/java \ -jar /opt/SUNWsgdg/proxy/KeyManager.jar export \ --keyfile client.key \ --keystore /opt/SUNWsgdg/proxy/etc/keystore.reflection \ --keyalias alias-name \ --keypass "$(cat /opt/SUNWsgdg/etc/password)" \ --storepass "$(cat /opt/SUNWsgdg/etc/password)"
where alias-name is the alias used for the reflection service key in the reflection keystore and client.key is the file name of the exported key.
The certificate and private key are used by the client device to authorize to the reflection service.
On the SGD Gateway host, run the following command:
# /opt/SUNWsgdg/bin/gateway config enable --services-reflection-auth
The default binding used for authorized access to the reflection service is TCP port 82 on all interfaces. You can change this to another interface and a port that is not in use, as follows:
# /opt/SUNWsgdg/gateway config edit \ --services-reflection-binding int:portnum
where int is the interface, and portnum is the port number used by the reflection service.
# /opt/SUNWsgdg/bin/gateway restart
$ curl --cert client.pem --key client.key -k -X GET https://gateway.example.com:82
In this example, the curl command is used to access the home page of the reflection service at https://gateway.example.com:82, where gateway.example.com is the name of the SGD Gateway. The certificate and private key for the reflection service are client.pem and client.key.
Use a client application to access the RESTful web services provided by the reflection service. Examples of suitable client applications include the following:
Browser. Using a browser is the simplest method of accessing the reflection service. However, a browser only supports HTTP GET requests and therefore limits access to only those RESTful web services that retrieve information. In practice, using a browser is helpful for tasks such as displaying status information and listing routes and services for the routing proxy.
curl. This is a command-line tool for UNIX and Linux platforms that supports HTTP GET, PUT, POST, and DELETE requests. This means that the full range of RESTful web services for the reflection service can be used. Output from this tool can be redirected to a file, or to another program for further processing.
Alternatively, if you have your own client application that supports RESTful web services, you can use it to access the reflection service.
Note - You do not need to restart the SGD Gateway when you use the reflection service to change the configuration of the routing proxy.
Data can be returned from the reflection service in the following output formats:
ASCII. This is the default output format. Data is returned in tab-delimited ASCII format. This output format is useful if the data is to undergo further processing, such as parsing.
HTML. Data is returned in Hypertext Markup Language (HTML) format, suitable for displaying in a browser. To return HTML output, append /html to the end of the web service Uniform Resource Identifier (URI).
The following table lists the RESTful web services for the SGD Gateway reflection service.
|
To access a RESTful web service, append the relative URI for the web service to the Uniform Resource Locator (URL) of the reflection service.
For example, to list the available routes for an SGD Gateway, gateway.example.com, append /route to the URL of the reflection service, as follows:
$ curl --cert client.pem --key client.key -k -X GET https://gateway.example.com:82/route
where client.pem and client.key are the certificate and private key for the reflection service. In this example, the client is authorized before accessing the reflection service.
All of the following examples use the curl command as a client application to access the reflection service.
The examples use authenticated access to the reflection service on an SGD Gateway called gateway.example.com. The client is authorized using a certificate, client.pem, and a private key, client.key.
To list the available services for the SGD Gateway:
$ curl --cert client.pem --key client.key -k \ -X GET https://gateway.example.com:82/service
To stop a route, specify the Route Id that the reflection service uses for the route:
$ curl --cert client.pem --key client.key -k \ -X GET https://gateway.example.com:82/route Route Id Route Uptime Service Id ... 0 21h18m20s743m ssgd-route-service ... 1 21h18m20s736m shttp-ssl-service ... $ curl --cert client.pem --key client.key -k \ -X DELETE https://gateway.example.com:82/route/1
To set the global logging level to FINER:
$ curl --cert client.pem --key client.key -k \ -X PUT https://gateway.example.com:82/logging/level/FINER